[webkit-dev] question about WSA-2016-0002

Michael Catanzaro mcatanzaro at igalia.com
Sat Mar 26 16:06:52 PDT 2016

On Sat, 2016-03-26 at 15:53 -0600, Brian Martin wrote:
> http://webkitgtk.org/security/WSA-2016-0002.html
> Of the six issues, five say to upgrade to 10.2.5 to mitigate, while
> the
> sixth (CVE-2016-1726) says upgrade to 10.2.8. Can you confirm that is
> the case rather than a typo?
> Thank you,
> Brian
> OSF / OSVDB.org

Hi Brian,

That page is correct; CVE-2016-1726 was not fixed until 2.10.8. It
seems strange, but it's not a typo. CVE assignment is handled by Apple
following their schedule for Safari releases and security advisories.
WebKitGTK+ security advisories are based on Safari advisories and so
follow behind on that schedule, but WebKitGTK+ stable releases are not
based on the same branches as Safari and do not follow that schedule.
Many vulnerabilities are already fixed in WebKitGTK+ releases at the
time of a new Safari advisory (as was the case for the other five
issues here), but others are missed and only fixed in WebKitGTK+ after
they're first fixed in Safari (which was the case for CVE-2016-1726).

Hope that helps explain the strangeness.


More information about the webkit-dev mailing list